{"id":19810,"date":"2022-08-10T05:20:52","date_gmt":"2022-08-10T13:20:52","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/08\/10\/news-13543\/"},"modified":"2022-08-10T05:20:52","modified_gmt":"2022-08-10T13:20:52","slug":"news-13543","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/08\/10\/news-13543\/","title":{"rendered":"Microsoft squares away 121-CVE Patch Tuesday for August"},"content":{"rendered":"<p><strong>Credit to Author: Angela Gunn| Date: Wed, 10 Aug 2022 12:31:41 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>Microsoft on Tuesday released patches for 121 vulnerabilities in eight Microsoft product families. This includes 16 Critical-class issues affecting Azure, Exchange, and Windows. Once again the majority of CVEs affect Windows; the operating system takes the lion\u2019s share of the CVEs with 61, followed by 44 for Azure. Three of the included Important-severity patches address boot-loader issues in non-Microsoft products and were apparently helmed not by Microsoft but by CERT\/CC, as occasionally happens when one vulnerability affects multiple vendors. Two CVEs involving Windows Digital Media Receiver affect not only Windows but multiple digital formats.<\/p>\n<p>One vulnerability, CVE-2022-30134, has been publicly disclosed. That elevation-of-privilege issue affects Exchange Server (versions 2013, 2016, and 2019), but would require the attacker to entice a victim to visit a specially crafted server share or website \u2013 a sufficiently high bar that Microsoft claims exploitation is unlikely.<\/p>\n<p><strong>Follina and Friends<\/strong><\/p>\n<p>One Important-class Remote Code Execution issue, affecting Microsoft Windows\u2019 Remote Diagnostic Tool (MSDT), is currently under active exploit in the wild. The &#8220;DogWalk&#8221; issue, CVE-2022-34713, is closely related to the <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/05\/30\/follina-word-doc-taps-previously-unknown-microsoft-office-vulnerability\/\">Follina<\/a> issue (CVE-2022-30190) that burst onto the scene in late May. The previous CVE was <a href=\"https:\/\/nakedsecurity.sophos.com\/2022\/06\/15\/follina-gets-fixed-but-its-not-listed-in-the-patch-tuesday-patches\/\">quietly<\/a> patched in June, and a defense-in-depth update was issued in July.<\/p>\n<p>The MSDT issue covered in CVE-2022-34713 is actually older than the Follina variant; it was first reported to Microsoft in December 2019 by researcher Imre Rad. At that time, Microsoft\u2019s investigation identified it to Rad as not being a security issue, at which point Rad <a href=\"https:\/\/irsl.medium.com\/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd\">disclosed<\/a> his findings to the general public. Microsoft reassessed the bug and informed Rad on August 4 of this year that it is, in fact, a security issue. With interest and activity high around the matter, we recommend that administrators prioritize this CVE this month.<\/p>\n<p><strong>By the Numbers<\/strong><\/p>\n<ul>\n<li>Total Microsoft CVEs: 121<\/li>\n<li>Total advisories shipping in update: 2<\/li>\n<li>Publicly disclosed: 1 (CVE-2022-30134)<\/li>\n<li>Exploitation detected: 1 (CVE-2022-34713)<\/li>\n<li>Exploitation more likely: 20 (both older and newer product versions)<\/li>\n<li>Severity\n<ul>\n<li>Critical: 16<\/li>\n<li>Important: 103<\/li>\n<li>Moderate: 1<\/li>\n<li>Low: 1<\/li>\n<\/ul>\n<\/li>\n<li>Impact\n<ul>\n<li>Elevation of Privilege: 61<\/li>\n<li>Remote Code Execution: 31<\/li>\n<li>Information Disclosure: 13<\/li>\n<li>Security Feature Bypass: 8<\/li>\n<li>Denial of Service: 6<\/li>\n<li>Spoofing: 1<\/li>\n<li>Defense in Depth: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-86305\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png\" alt=\"Bar graph showing impact and severity ratings for the 121 CVEs covered in August 2022's Patch Tuesday updates\" width=\"640\" height=\"471\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png?resize=300,221 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png?resize=768,565 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png?resize=1024,754 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png?resize=1536,1131 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-01-2.png?resize=2048,1508 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: Approximately two-thirds of the Elevation of Privilege CVEs dominating the August patch collection belong to Azure<\/em><\/p>\n<ul>\n<li>Products\n<ul>\n<li>Microsoft Windows: 61 (including two also classified as \u201cvideo formats\u201d below)<\/li>\n<li>Azure: 44<\/li>\n<li>Exchange: 6<\/li>\n<li>Microsoft Office: 4<\/li>\n<li>Edge: 3<\/li>\n<li>Video formats (AV1, HEIF, HEVC, VP9, WebP): 2 (also counted in Windows, above)<\/li>\n<li>.NET: 1<\/li>\n<li>System Center Operations Manager: Open Management Interface: 1<\/li>\n<li>Visual Studio: 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-86306\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png\" alt=\"bar chart showing the nine product families affected by the August Patch Tuesday updates\" width=\"640\" height=\"450\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png 3071w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png?resize=300,211 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png?resize=768,540 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png?resize=1024,720 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png?resize=1536,1080 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-02-2.png?resize=2048,1440 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 2: The two CVEs affecting multiple digital file formats (CVE-2022-35746, CVE-2022-35749) are represented twice in this chart (under both \u2018Windows\u2019 and \u201cVideo formats\u201d), since anyone using those formats outside Windows is presumably affected<\/em><\/p>\n<p><strong>Notable Vulnerabilities<\/strong><\/p>\n<p><strong>Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability (CVE-2022-34713)<\/strong><\/p>\n<p>As noted above, this CVE involves a close variant of the <a href=\"https:\/\/msrc-blog.microsoft.com\/2022\/05\/30\/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability\/\">CVE-2022-30190 issue<\/a> flagged in late May as the heart of \u201cFollina.&#8221; The most likely attack vector for this path-traversal flaw would be a specially crafted file, either sent to the user via email (and opened by the user) or hosted on an external site to which the user was routed. The issue affects all versions of Windows.<\/p>\n<p><strong>44 CVEs, Azure<\/strong><\/p>\n<p>We\u2019ve noticed a trend in the last few months: Azure patches. Lots of them. The volume of patched vulnerabilities in Azure has rocketed over the summer, as shown in Figure 3:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-86308\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png\" alt=\"Stacked bar chart showing the increase in Azure vulnerabilities over the past six months\" width=\"640\" height=\"418\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png 1653w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png?resize=300,196 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png?resize=768,502 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png?resize=1024,669 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-azure.png?resize=1536,1004 1536w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: It\u2019s not your imagination: It has indeed been a cruel summer for Azure administrators<\/em><\/p>\n<p>A variety of finders are credited for the patched issues, some working with known and respected research houses and others more obscure. The vulns themselves are harder to easily differentiate, at least by title; for example, in the past six months we\u2019ve seen six \u201cAzure RTOS GUIX Studio Remote Code Execution Vulnerability,\u201d 29 \u201cAzure Site Recovery Elevation of Privilege Vulnerability,\u201d and 31 \u201cAzure Site Recovery Elevation of Privilege Vulnerability\u201d CVEs.<\/p>\n<p><strong>CERT\/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass (CVE-2022-34301)<\/strong><\/p>\n<p><strong>CVE-2022-34302 &#8211; CERT\/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass (CVE-2022-34302)<\/strong><\/p>\n<p><strong>CERT\/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass (CVE-2022-34303)<\/strong><\/p>\n<p>This trio of security-feature bypass CVEs arrives with CNA (CVE Numbering Authority) numbers not from Microsoft, as is usual for Microsoft patches, but from the US CERT Coordination Center. \u00a0GRUB is another boot loader (GNU GRand Unified Bootloader), and one of the two Advisories this month (\u201cMicrosoft Guidance for Addressing Security Feature Bypass in GRUB\u201d, ADV200011) touches on that.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-86307\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png\" alt=\"Cumulative CVE counts for 2022's Patch Tuesdays\" width=\"640\" height=\"426\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png 2934w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png?resize=300,200 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png?resize=768,512 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png?resize=1024,682 1024w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png?resize=1536,1023 1536w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/figure-03-2.png?resize=2048,1365 2048w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: Elevation-of-privilege issues continue to dominate in 2022, though odds are that any given RCE issue this year is of greater severity<\/em><\/p>\n<p><strong>Sophos protection<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>(Ever wondered about behavior names, by the way? Sophos\u2019 naming conventions line up with the MITRE ATT&amp;CK framework. Details are available <a href=\"https:\/\/docs.sophos.com\/central\/customer\/help\/en-us\/ManageYourProducts\/Overview\/LogsReports\/Logs\/Events\/MaliciousBehaviorTypes\/index.html\">elsewhere on our site<\/a>.)<\/p>\n<p>Part of our current protections against the CVE-2022-34713 bug involve a blocking detection. Sophos will continue to evaluate the most effective ways to address the malicious CAB files associated with CVE-2022-34713.<\/p>\n<p>As you can every month, if you don\u2019t want to wait for your system to pull down the updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you\u2019re running, then download the Cumulative Update package for your particular system\u2019s architecture and build number.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/08\/10\/microsoft-squares-away-121-cve-patch-tuesday-for-august\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/08\/64145636_m.jpg\"\/><\/p>\n<p><strong>Credit to Author: Angela Gunn| Date: Wed, 10 Aug 2022 12:31:41 +0000<\/strong><\/p>\n<p>Another tough month for Azure admins; meanwhile, Windows takes a long road to a Dogwalk<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[27254,26337,10516,19245,16771],"class_list":["post-19810","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-dogwalk","tag-follina","tag-microsoft","tag-patch-tuesday","tag-threat-research"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19810"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19810\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}